What is the best way to extend restful_authentication/AuthLogic to support lazy logins by an anonymous iPhone?

Question

I'm building an iPhone application that talks to a Ruby on Rails backend. The Ruby on Rails application will also service web users. The restful_authentication plugin is an excellent way to provide quick and customizable user authentication. However, I would like users of the iPhone application to have an account created automatically by the phone's unique identifier ([[UIDevice device] uniqueIdentifier]) stored in a new column. Later, when users are ready to create a username/password, the account will be updated to contain the username and password, leaving the iPhone unique identifier intact. Users should not be able to access the website until they've setup their username/password. They can however, use the iPhone application, since the application can authenticate itself using it's identifier.

What is the best way to modify restful_authentication to do this? Create a plugin? Or modify the generated code?

What about alternative frameworks, such as AuthLogic. What is the best way to allow iPhones to get a generated auth token locked to their UUID's, but then let the user create a username/password later?

Answer 1

I think you shouldn't use the phone identifier alone to authenticate as it is not a secret and it is probably also guessable/predictable. Don't forget that if someone wanted to hack your web app they don't have to use your code - they can just guess device IDs and try to mess with your users data using any web client.

You should treat the device ID similar to a username - it is for identification and not authentication. I suggest you get the user to pick a password, or even better generate a random code automatically, to go with it - then send the device ID + this password/code to register the device firstly, and then subsequently to authenticate the device.

You can also bet that some users will have more than one device - either they will replace one eventually, or you will get somebody like Stephen Fry who goes around with 4 iphones. To deal with this I would suggest that you look for a way to instantiate restful_authentication twice, once for authenticating users, and a second time for authenticating devices. I haven't used this plugin but I expect you just need to use different table parameters to make this happen. Then in your application logic allow users to associate more than one device with their account.

To do that securely either do it from the device, or have the device display a random code which they then enter into the web app to prove they own the device (this sounds more painful than it is - it is the same process that apple use in itunes, apple TV, and the remote app - look at how they do it - so it won't be that surprising for users).

(Also make sure that when generating any random passwords you use a cryptographic random number generator as the basis - there is probably an iPhone API for this - otherwise your passwords may be predictable).